Embedded Computers in Today’s Railway Systems

Compact PCI-based systems for railway applications offer all current PC functions and up-to-date technology, as well as robustness, safety and long-term availability.

By Barbara Schmitz, MEN MikroElectronik GmbH

The growing number of electronic systems being incorporated into trains and subway systems are finding a home on the back end of the computing scheme, typically controlling specialized functions that reside out of passengers’ view.

So, in talking about the modern-day railway engineering market, it is not only the vehicles themselves that need to be considered, but the technology that is hidden away as well, ensuring passenger safety as well as railway efficiency.

10_1
Railways are employing an increasing number of intuitive computer systems.

Submarkets Within the Railway Market
Common studies, like that of the independent consultancy company SCI Verkehr, roughly divide the railway market into three segments:

  • Infrastructure: the track system and electrification where no computers are typically needed
  • Vehicles: the physical cars used to transport passengers (locomotives, high-speed trains, metro-trains, railcars etc.) and freight (locomotives)
  • System technology: includes traffic management and train protection as well as “information technology” such as passenger information, passenger safety and fare management

It is these last two areas where computers are making the biggest impact.

The biggest initiative in updating vehicle technology is equipping cars with computers for train protection and control, while fulfilling many other passenger-related (or front-end) tasks. These can include the control of vital functions (e.g., drive, brake, power supply, tilting technology), safety management (doors, light, etc.) and convenience functions (heating, air conditioning, etc.) inside the vehicle.

System technology is the smallest, but fastest growing, segment of the railway market worldwide. Passenger information, which provides riders with conveniences, must also convey information on traffic management and train protection system-wide. With the ever-increasing speeds and denser traffic on the tracks themselves, safety and efficiency are primary concerns.

Railway-Compliant Computer Systems
There are two striking differences between a computer inside a rail vehicle or in train protection and those computers in other embedded applications.

On one hand, the electronics for railway-compliant control have to meet more severe requirements with respect to robustness, reliability and availability. They demand corresponding precautions and thorough knowledge in design, production, qualification and product care.

11_1
Robustness at the component level up to the entire system itself is imperative in safety-critical applications.

The EN 50155 standard, for example, defines rules regarding different environmental impacts with a required operating temperature range of -40°C to +70°C, including up to 10 minutes of operation up to +85°C (Tx). Not only must the electronics be coated by a special varnish for protection against humidity and condensation, the housing itself should be protected against splashing water. These are only a sampling of the stringent demands within the railway market, but overall, EN 51055 dictates that electronic equipment must operate in trains for 20 years – without regular periodical maintenance.

The second main difference relates to safety-critical parameters of the system and the standards in place to ensure quality and reliability system-wide. Safety Integrity Levels (SIL), defined by IEC 61508, range from 1 to 4 and represent increasing layers of system reliability and redundancy as the level increases. A safe system is a system with a defined error behavior. In case of an error, fail-safe systems switch off into a safe state – a train, for example, would stop. Fault-tolerant systems must continue proper operation when part of the system fails – an absolute must in a railway control center. This is achieved through redundant computer architectures and permanent testing of all components.

Long-term availability is extremely important in the railway market, because the vehicles have to pass complex acceptance tests before first operation and are then in use for several decades. The International Railway Industry Standard(IRIS) is a quality-management system built on ISO 9001. It requires very detailed documentation of key procedures and manufacturing processes to guarantee a high quality across the entire supply chain within the railway industry. IRIS processes include risk management, knowledge management or obsolescence management, among others.

The most significant IRIS procedures include Reliability – Availability – Maintainability – Safety (RAMS) and First Article Inspection (FAI). And finally all 12 knock-out criteria of IRIS, one of them being design validation, must be fulfilled during a certification audit, without exception.

11_2
RAMS is a significant aspect of quality management from a manufacturing perspective.

Typical Railway Computer Architectures
While many functions of a railway computer are designed for the specific application, more of these computers can be partially built using standard components to save time and cost. Due to its modularity, maintainability and robustness, the CompactPCI bus system has proved itself in the area of 19” solutions. Based on the Eurocard format and recently updated to include serial interfaces, such as PCI Express, SATA, USB and Ethernet, via CompactPCI Serial, these systems remain an ideal choice in railway applications as content servers or multimedia access units and for recording and managing camera data as well as for ticketing. They can be combined with diagnosis, maintenance and service functions, a well.

One or several CPU cards in the same system can take over different control jobs and can exchange results. In terms of processor architecture, the most up-to-date Intel platforms are available – currently the Intel® Core™ i7 processors (first and second generation) or certain Intel® Atom™ processors, and also backwards-compatible CPU board models based on the Intel® Pentium® M processor. Thanks to individually designed heat sinks, power-saving versions operate without active ventilation in the system, where necessary.

Under even more severe conditions, the single assemblies are packaged into conduction-cooled assembly (CCA) frames and housed by conduction-cooled enclosures that are even protected against splashing water (IP67). In standard, less-protected 19” enclosures, designers can still opt to coat all of the electronics against humidity, condensation and dust, a consideration that should be analyzed in the development phase.

In environments prone to shock and vibration, all components – even the CPU and main memory – are ideally permanently soldered on the board and special consideration should be taken if connectors are needed on the board. The 2 mm CompactPCI system connectors that link to the bus backplane (including the new CompactPCI Serial connectors) are sufficiently robust. At the computer’s front, the usual RJ45 should be replaced with D-Sub, Lemo or M12 connectors instead. The latter are now also available for Gigabit Ethernet. For antennas on wireless I/O cards, SMA connectors can be effectively employed.

Redundant Systems for Safer Travel
CompactPCI and CompactPCI Serial are ideal platforms for safe computers in applications ranging from train control, train protection and control technology to driverless operation in ATO systems.

Sub-computers on separate backplanes, each with a PSU and identical CPU board and I/O configurations, are built into the same rack or distributed over several racks, connected as redundant, complete systems that monitor each other. They communicate via Ethernet, for example. This is a 1-out-of-2 (1oo2) architecture, and additional redundancy can be built in if safety as well as availability is demanded, resulting in a 2oo3 or 2oo4, etc. architecture. The main memory in systems like these is typically protected using ECC.

12_1
Depending on system requirements, different redundancy levels can be built into a safety-critical computing system.

Another simple method is to use reflective memory assemblies in the system, or individual boards can be certified up to SIL 3 and SIL 4, which have a triple-redundant processor and main memory, and are equipped with onboard voters and other safety-relevant features like Built-In Test Equipment (BITE). Due to lockstep architecture, the (also safe) operating system only “sees” one CPU to reduce software overhead.

Mixed Processors for Enhanced Function
Since many CompactPCI systems used in railway applications don’t necessarily need powerful graphics, and as Windows is not the most favorable operating system for safe computers, CPU boards with PowerPC processors are also used in many cases. With less than 1 W of power dissipation, some types of the PowerQUICC II and III families are very power saving, while the high-performance types of the QorIQ family offer up to eight processor cores.

Even combinations of Intel® processor-based host CPUs with PowerPC-based slave CPUs inside the same system are common, such as for diagnosis and maintenance functions in different applications. A slave CPU connected via Ethernet could act as a diagnosis buffer. The PowerPC card running a VxWorks real-time operating system requires well under two seconds to boot and is ready for operation long before the Intel host is.

Reliability Lies in Design
No matter whether you deal with a CompactPCI, CompactPCI Serial or another type of embedded system – the top priorities are always compact and robust design, and standard conformity.

The train, as a modern transportation system, is getting computerized to a growing extent. Computer systems for railway applications have to be able to include all current PC functions and have to have all the up-to-date technology. But not only that: robustness, safety and long-term availability are also demanded on this market.

 


schmitz_barbara

Since 1992, Barbara Schmitz has served as chief marketing officer of MEN MikroElektronik. Schmitz graduated from the University of Erlangen-Nürnberg. MEN MikroElektronik is an established manufacturer of failure-safe computer boards and systems for extreme environmental conditions in industrial, safety-critical and real-time embedded applications worldwide.